A method of providing cryptographic information and flow control includes first determining a target domain from an IP address. An organization policy is looked up from a credential store, and an algorithm and credentials specified for the target domain are looked up in a domain-credential map. Any further credentials that are provided and that are permitted by the organizational policy are added. A working key is then generated, and information is received in the form of a receive packet. Any packet header is stripped from the receive packet and the remaining data is encrypted. Key splits are retrieved from the credential store, and are combined to form a key-encrypting key. The working key is the encrypted with the key-encrypting key, and a CKM header is encrypted. The encrypted CKM header is concatenated to the beginning of the encrypted data to form transmit data, and the packet header and the transmit data are concatenated to form a transmit packet. The transmit packet is then provided to a network interface card for transmission on a network.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of providing a secure network packet, said method comprising: generating a working key; encrypting, based at least in part on said working key, target data; binding together a plurality of key splits to form a cryptographic key; encrypting, based at least in part on the cryptographic key, said working key; and forming the secure network packet including the encrypted target data and the encrypted working key; wherein said plurality of key splits includes a domain key split and a user key split.
2. The method of claim 1 , wherein the working key is generated randomly or pseudo-randomly.
3. The method of claim 1 , wherein the secure network packet is provided at least in part by an integrated circuit.
4. The method of claim 1 , wherein the secure network packet is provided at least in part by a network interface device.
5. The secure network packet provided by the method of claim 2 .
6. The method of claim 1 , further comprising extracting at least one of said plurality of key splits from a credential store.
7. The method of claim 1 , wherein at least one of said plurality of key splits is a default key split.
8. The method of claim 1 , wherein at least one of said plurality of key splits is selected by a user.
9. The method of claim 1 , wherein at least one of the target data and said working key is encrypted according to a default cryptographic algorithm.
10. The method of claim 1 , wherein at least one of the target data and said working key is encrypted according to a user selected cryptographic algorithm.
11. A method of accessing encrypted target data encapsulated by a secure network packet, comprising: parsing the secure network packet to provide the encrypted target data and an encrypted working key; binding together a plurality of key splits to form a cryptographic key; decrypting, based at least in part on the cryptographic key, the encrypted working key; and decrypting, based at least in part on the decrypted working key, the encrypted target data to provide decrypted target data; wherein said plurality of key splits includes a domain key split and a user key split.
12. The method of claim 11 , wherein the secure network packet is accessed at least in part by an integrated circuit.
13. The method of claim 11 , wherein the secure network packet is accessed at least in part by a network interface device.
14. The decrypted target data and the cryptographic key provided by the method of claim 11 .
15. The method of claim 11 , further comprising extracting at least one of said plurality of key splits from a credential store.
16. The method of claim 11 , wherein at least one of said plurality of key splits is a default key split.
17. The method of claim 11 , wherein at least one of said plurality of key splits is selected by a user.
18. The method of claim 11 , wherein at least one of the encrypted target data and the encrypted working key is decrypted according to a default cryptographic algorithm.
19. The method of claim 11 , wherein at least one of the encrypted target data and the encrypted working key is decrypted according to a user selected cryptographic algorithm.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
November 18, 2003
August 8, 2006
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.